Method for Handling Ciphering Keys in a Mobile Station

ABSTRACT

Techniques for handling ciphering keys in a mobile station comprising a mobile equipment (ME) and a Universal Subscriber Identity Module (USIM) are disclosed. An example method includes obtaining a UMTS cipher key (CK), integrity key (IK), and ciphering key sequence number (CKSN) from the USIM, deriving a 128-bit ciphering key (Kc-128) from the CK and the IK, and storing the Kc-128 and the CKSN on the mobile equipment, separate from the USIM. The stored CKSN is associated with the stored Kc-128, so that the Kc-128&#39;s correspondence to the most current UMTS security context can be tracked. This example method applies to the generation and storage of a 128-bit ciphering key for either the packet-switched or circuit-switched domains. A corresponding user equipment apparatus is also disclosed.

RELATED APPLICATIONS

This application claims priority to U.S. Provisional Patent Application Ser. No. 61/234,489, filed 17 Aug. 2009 and titled “Introduction of 128-bit ciphering key for A5/4 and GEA/4,” and U.S. Provisional Patent Application Ser. No. 61/331,003, filed 4 May 2010 and titled “Improvements to 3GPP Technical Specification 24.008.”

FIELD OF THE INVENTION

The present invention relates generally to ciphering in wireless communication systems, and more particularly relates to techniques for handling ciphering keys in UMTS mobile stations.

BACKGROUND

Members of the 3^(rd)-Generation Partnership Project (3GPP) are currently developing Release 9 improvements to the family of standards for the Universal Mobile Telecommunications System (UMTS). As part of this work, new encryption algorithms have been introduced, including the A5/4 algorithm for GSM circuit-switched services and the GEA4 for GSM GPRS (packet-switched) services. These algorithms are defined in the 3GPP document 3GPP TS 55.226, “3G Security; Specification of the A5/4 Encryption Algorithms for GSM and ECSD, and the GEA4 Encryption Algorithm for GPRS.” As specified in that document, the new encryption algorithms A5/4 and GEA4 each require a full 128-bit ciphering key.

A key derivation function to derive a 128-bit ciphering key (Kc-128) in the mobile equipment and in the network has been defined in the 3GPP document 3GPP TS 33.102, “3G security; Security architecture,” for Release 9. The Kc-128 is derived from the UMTS security keys (i.e., the ciphering key, CK, and the integrity key, IK), which are associated with the corresponding 64-bit GSM ciphering key in the current setting. Therefore, since the UMTS security keys are needed to derive the 128-bit key, the user must have a Universal Subscriber Identity Module (USIM) in use in the user equipment (UE) and the network needs to initiate the UMTS AKA (authentication) procedure towards the UE, in order to be able to use the encryption algorithms A5/4 and GEA4 for GSM and GSM GPRS services.

3GPP TS 33.102 has also specified that the Kc-128 is stored only in the mobile equipment (ME) and not in the USIM, and that this ciphering key is deleted when the ME is powered down as well as when the USIM is removed from the UE.

FIG. 7 is taken from 3GPP TS 33.102, and illustrates the scenarios in which a Kc-128 is derived from CK and IK by the ME and network. While the 3GPP specifications outline the basis usage scenarios for the Kc-128, complete analysis and specification of the handling of the Kc-128 by the ME has not been performed prior to the development of the present invention.

SUMMARY

Techniques for handling ciphering keys in a mobile station comprising a mobile equipment (ME) and a Universal Subscriber Identity Module (USIM) are disclosed. An example method includes obtaining a UMTS cipher key (CK), integrity key (IK), and ciphering key sequence number (CKSN) from the USIM, deriving a 128-bit ciphering key (Kc-128) from the CK and the IK, and storing the Kc-128 and the CKSN on the mobile equipment, separate from the USIM. The stored CKSN is associated with the stored Kc-128, so that the Kc-128's correspondence to the most current UMTS security context can be tracked. This example method applies to the generation and storage of a 128-bit ciphering key for either the packet-switched or circuit-switched domains.

In some embodiments, the obtaining, deriving, and storing steps discussed above are performed in response to a determination that a ciphering algorithm requiring a 128-bit ciphering key is to be taken into use. In others, these steps are performed in response to determining that a new UMTS security context has been established. In still others, these steps are performed at the same time as or in response to determining that a 64-bit ciphering key is generated.

In various embodiments, the stored Kc-128 is applied to a 128-bit ciphering algorithm in response to determining that the ciphering algorithm is to be taken into use. In some of these embodiments, the validity of the stored Kc-128 is verified by obtaining a most recent CKSN from the USIM and comparing the most recent CKSN to the stored CKSN to verify a match, prior to applying the stored Kc-128 to the ciphering algorithm. In some of these embodiments, if the most recent CKSN does not match the stored CKSN, then the ME obtains a new UMTS cipher key (CK), new integrity key (IK), and new ciphering key sequence number (CKSN) from the USIM, derives a new Kc-128 from the new CK and the new IK, and stores the new Kc-128 and the new CKSN on the mobile equipment.

In some embodiments, more than one Kc-128 may be stored on the ME. Thus, some embodiment include the steps of obtaining a new CK, new IK, and new CKSN from the USIM, deriving a new Kc-128) from the new CK and the new IK, and storing the new Kc-128 and the new CKSN on the mobile equipment, in addition to the previously stored Kc-128 and CKSN. In these embodiments, the ME is configured to track the Kc-128 that corresponds to the most recent successful UMTS authentication and key agreement process. Upon determining that a ciphering algorithm requiring a 128-bit ciphering key is to be activated, some of these embodiments are configured to overwrite the previously stored Kc-128 and CKSN with the new Kc-128 and new CKSN.

The stored CKSN may become invalid under a number of circumstances. In response to determining that the CKSN is invalid, various embodiments are configured to delete the stored CKSN. The determination that the stored CKSN is invalid may result from detecting that the corresponding CKSN on the USIM has been or is to be deleted, detecting that the update status on USIM for circuit-switched services is changed to “U2 NOT UPDATED,” “U3 ROAMING NOT ALLOWED,” or “U4 UPDATING DISABLED,” detecting that the update status on USIM for packet-switched services is changed to “GU2 NOT UPDATED” or “GU3 ROAMING NOT ALLOWED,” or detecting that the USIM has been disabled.

Mobile station apparatus corresponding generally to the methods summarized above are also disclosed, and include processing circuits configured to carry out one or more of the key-handling techniques described herein. Of course, those skilled in the art will appreciate that the present invention is not limited to the above features, advantages, contexts or examples, and will recognize additional features and advantages upon reading the following detailed description and upon viewing the accompanying drawings

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a user equipment, including a mobile equipment (ME) and Universal Subscriber Identity Module (USIM), according to some embodiments of the present invention.

FIG. 2 illustrates the storing of a Universal Mobile Telecommunications System (UMTS) security context in the USIM, for each of the circuit-switched and packet-switched domains.

FIG. 3 is a process flow diagram illustrating a method for handling ciphering keys in a mobile station comprising a mobile equipment and a USIM.

FIG. 4 is another process flow diagram illustrating a method for handling ciphering keys, in which the Kc-128 is derived in response to determining that a 128-bit ciphering algorithm is taken into use.

FIG. 5 is another process flow diagram illustrating a method for handling ciphering keys, in which the Kc-128 is derived in response to determining that a new UMTS security context has been established.

FIG. 6 is another process flow diagram illustrating another method for handling ciphering keys.

FIG. 7 illustrates key agreement scenarios in UMTS and GSM networks.

DETAILED DESCRIPTION

Various embodiments of the present invention are now described with reference to the drawings, wherein like reference numerals are used to refer to like elements throughout. In the following description, numerous specific details are set forth for purposes of explanation, in order to provide a thorough understanding of one or more embodiments. It may be evident to one of ordinary skill in the art, however, that one or more embodiments of the present invention may be implemented or practiced without one or more of these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to facilitate describing one or more embodiments.

While the techniques and solutions described herein are described generally in the context of the application of the A5/4 and GEA4 ciphering algorithms, those skilled in the art will appreciate that additional new encryption algorithms may be supported in UMTS and/or GSM networks in future. The techniques described herein are intended to support these new encryption algorithms and the present invention is thus not limited to the use of these already specified algorithms.

Several of the embodiments are described herein in connection with a radio access terminal, which communicates wirelessly with fixed base stations in the wireless network. The radio access terminal can also be called a system, subscriber unit, subscriber station, mobile station, mobile, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication device, user agent, or user device, and is commonly referred to as user equipment (UE) in the 3GPP specifications. An access terminal can be a cellular telephone, a cordless telephone, a Session Initiation Protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (PDA), a handheld device having wireless connection capability, computing device, or other processing device connected to a wireless modem. In the context of UMTS-capable terminals, a complete UE comprises a mobile equipment (ME) coupled to a Universal Subscriber Identity Module (USIM).

One such UE 100 is illustrated in FIG. 1; UE 100 comprises ME 105 and USIM 150. ME 105 comprises one or more radio transceivers 110, each configured for operation in one or more frequency bands according to one or more particular wireless standards such as GSM, GPRS, EDGE, W-CDMA, HSPA, etc. ME 105 further comprises processing circuits 120, which in turn may include one or several microprocessors, microcontrollers, digital signal processors, and the like, configured with appropriate firmware and/or software. As shown in FIG. 1, these processing circuits 120 are configured for one or more terminal applications, which may include, for example, user interface-related programs for allowing a user to operate the device, personal information management programs, multimedia applications, etc. The processing circuits are also configured to carry out one or more radio protocols 124, which control the UE's communications with base stations according to one or more wireless telecommunication standards. Finally, the ME 105 includes a Kc-128 handling application 126, the details of which will be described more fully below.

USIM 150 includes, inter alia, a UMTS key derivation and storage function 155. During a UMTS authentication and key agreement (AKA) process, the USIM and the network agree on a 128-bit cipher key known as CK, as well as a 128-bit integrity key known as IK. These keys, along with a ciphering key sequence number (CKSN), make up a UMTS security context. (Note that in the UMTS context, the CKSN is sometimes called the key set identifier, or KSI. The term CKSN is used herein.) A separate UMTS security context may be obtained for each of the circuit-switched (CS) domain and the packet-switched (PS) domain. Thus, as shown in FIG. 2, the UMTS key derivation and storage function 155 may include a circuit-switched domain cipher key (CS-CK) 210, a circuit-switched domain integrity key (CS-IK) 220, a circuit-switched domain CKSN (CS-CKSN) 230, a packet-switched domain cipher key (PS-CK) 240, a packet-switched domain integrity key (PS-IK) 250, and a packet-switched domain CKSN (CS-CKSN) 260. At various times, depending on the activities the UE 100 is engaged in, and depending on the configuration of the supporting network, one, both, or neither of these UMTS security contexts may exist in the USIM 150.

As noted above, a key derivation function to derive a 128-bit ciphering key (Kc-128) in the ME and in the network has been defined in the 3GPP TS 33.102 for Release 9. The Kc-128 is derived from the UMTS security keys CK and IK. Prior to the addition of 128-bit encryption algorithms to the standards, the use of CK and IK to generate a 64-bit GSM ciphering key has already been standardized. Because the UMTS security keys are needed to generate the 128-bit ciphering key Kc-128, the UE obviously is required to be coupled to a USIM, with an active UMTS security context, in order to begin the use of either of the encryption algorithms A5/4 and GEA4 in the network.

FIG. 7 is taken from 3GPP TS 33.102, and illustrates the scenarios in which a Kc-128 is derived from CK and IK by the ME and network. While the 3GPP specifications outline the basis usage scenarios for the Kc-128, complete analysis and specification of the handling of the Kc-128 by the ME has not been performed prior to the development of the present invention.

So far, 3GPP TS 33.102 has specified that the Kc-128 is stored only in the mobile equipment (ME) and not in the USIM. In order to allow the ME to determine whether a particular Kc-128 is still valid, the stored Kc-128 should be associated with a CKSN, which is also stored in the ME. Thus, in both of the circuit-switched and packet-switched domains, the CKSN provided by the network to the ME during the UMTS AKA procedure is linked to any derived Kc-128 bit ciphering key, as well as to any corresponding 64-bit ciphering key. As a result, at any given time an ME may store a Kc-128 and an associated CKSN (and Kc-64) for the circuit-switched domain, a Kc-128 and associated CKSN (and Kc-64) for the packet-switched domain, both, or neither.

For security reasons, the Kc-128 (for either or both domains, as applicable) is deleted when the ME is powered down, as well as when the USIM is removed from the UE. However, these are not the only scenarios in which the Kc-128 should be deleted. In both the circuit-switched and packet-switched domains, whenever the CKSN of the corresponding UMTS security context is deleted, the linked Kc-128 bit ciphering key, if exists, is deleted from the ME as well. In addition, both the CKSN and associated Kc-128 (for either or both domains, as applicable) should be deleted when the USIM is removed from the device or when the USIM's operation is disabled (e.g., by user command).

Furthermore, a UMTS security context may be invalidated under certain circumstances. Accordingly, in the circuit-switched domain, the ME shall delete any Kc-128 ciphering key for circuit-switched services stored in the ME when the update status on USIM for circuit switched services is changed to “U2 NOT UPDATED”, “U3 ROAMING NOT ALLOWED,” or “U4 UPDATING DISABLED,” as result of a Non-Access Stratum (NAS) signaling procedure such as a Location Area Update procedure, Authentication Failure, CM service reject. Likewise, in the packet-switched domain, the ME shall delete any Kc-128 ciphering key when the update status on the USIM for GPRS services is changed to “GU2 NOT UPDATED,” or “GU3 ROAMING NOT ALLOWED,” as a result of a NAS signaling procedure such as GPRS Attach, NW initiated Detach, Authentication procedure or Routing Area Update procedure.

An ME with a USIM in use shall apply the Kc-128 bit ciphering key for circuit-switched services when, in A/Gb mode, an A5 ciphering algorithm (or other algorithm) that requires a 128-bit ciphering key is taken into use. Likewise, an ME with a USIM in use shall apply the Kc-128 bit ciphering key for GPRS when, in A/Gb mode, a GEA ciphering algorithm (or other algorithm) that requires a 128-bit ciphering key is taken into use. In either case, the Kc-128 that is applied when the use of a 128-bit ciphering algorithm is begun should always be based on the most recent successful UMTS authentication procedure. The actual generation of the Kc-128 (for either the CS or PS domains) from the CK and the IK can be at any of several times, however.

For example, the Kc-128 for the circuit-switched or packet-switched domain can be generated:

-   -   the first time when the key is actually needed for use (e.g.,         the first time 128-bit encryption for a particular UMTS security         context for the circuit-switched or packet-switched domain is         activated);     -   every time the key is actually needed for use (i.e., every time         128-bit encryption is activated for the circuit-switched or         packet-switched domain);     -   when the Kc-64 bit ciphering key for a given domain is derived         by the USIM or provided to the ME by the USIM;     -   when the Kc-64 bit ciphering key for a given domain is first put         into use (i.e., the first time 64-bit encryption for a         particular UMTS security context for circuit-switched or         packet-switched domain is activated); or     -   as soon as a UMTS security context for a given domain is         established (i.e., upon completion of the authentication         procedure for UMTS AKA).

Upon derivation of a new Kc-128 for either domain, the ME should generally overwrite the existing Kc-128 bit ciphering key for that domain with the newly derived Kc-128 bit ciphering key. However, as will be discussed in further detail below, some implementations of the ME may provide for the storage of two Kc-128 ciphering keys for each domain—a first one corresponding to the key currently in active use, and a second one corresponding to the most recently completed authentication and key agreement procedure. In such implementations, care must be taken to ensure that the proper key is taken into use upon initiation of a 128-bit encryption algorithm, and that a stored Kc-128 ciphering key is overwritten or marked when it is no longer valid.

FIG. 3 is a process flow diagram illustrating a general method for handling ciphering keys in a mobile station comprising an ME and a USIM. As shown at block 310, the method begins with the obtaining of the current UMTS security context for the circuit-switched context or packet-switched context from the USIM. This includes the cipher key CK, the integrity key IK, and the cipher key sequence number CKSN. The Kc-128 for the given domain is derived from CK and IK, as shown at block 320, using the key derivation function specified in 3GPP TS 33.12 for Release 9. As indicated at block 330, the derived Kc-128 is then stored on the ME (not in the USIM), in association with the CKSN.

As noted above, the generation of the Kc-128 for a given domain can take place at any of several times. One approach is illustrated in FIG. 4. In this approach, the derivation of a Kc-128 for a given domain is triggered by an indication that an algorithm requiring the 128-bit ciphering key is to be taken into use. Thus, as shown at block 410, the ME determines that a GSM Ciphering algorithm or GPRS ciphering algorithm requiring a Kc-128 is being taken into use. If so, then the Kc-128 is generated from the most recent UMTS security context stored on the USIM, as shown at block 420. (This generation is as shown in FIG. 3.) Then, the newly derived Kc-128 is applied to the indicated ciphering algorithm, as shown at block 430.

FIG. 5 illustrates a different approach. In this case, the generation of the Kc-128 for a given domain is triggered by the successful completion of a UMTS AKA procedure for that domain. Again, the illustrated approach is applicable to either or both of the circuit-switched and packet-switched domains. As shown at block 510, then, the procedure begins with a determination that a new UMTS security context exists. If so, then a Kc-128 is generated from the most recent UMTS security context on the USIM, as shown at block 520. This Kc-128 is stored on the ME, in association with the corresponding CKSN, for subsequent use in ciphering operations.

MEs that use the approach of FIG. 5 will generally have a stored Kc-128 on the ME. Upon activation of a 128-bit ciphering algorithm, the ME must take care to ensure that the stored Kc-128 is up to date. FIG. 6 illustrates one possible method for verifying the validity of the stored Kc-128. As shown at block 610, the procedure begins with the determination that a 128-bit algorithm is being taken into use. If so, then the stored CKSN for the appropriate domain is compared with the most recent CKSN, which is obtained from the USIM. This is shown at block 620. If these values match, then the stored Kc-128 is valid, and can be applied to the indicated ciphering algorithm, as shown at block 630. Otherwise, as indicated at block 640, a new Kc-128 must be generated from the latest UMTS security context, existing on the USIM.

Special consideration should be given to ensuring that an ME is using the appropriate key after inter-system handovers to A/Gb mode. There are several possible handovers that should be considered. For instance, in the circuit-switched domain, after an inter-system change from lu mode to A/Gb mode, when an A5/4 algorithm is taken into use that requires a 128-bit ciphering key then the ME shall apply the Kc-128 bit ciphering key (for the circuit-switched domain) derived by the ME from the UMTS security keys from the latest successful authentication procedure. Similarly, in the packet-switched domain, after an inter-system change from lu mode to A/Gb mode, when a GEA algorithm is taken into use that requires a 128-bit ciphering key then the ME must also take care to apply the Kc-128 bit ciphering key (for GPRS) derived by the ME from the UMTS security keys from the latest successful authentication procedure. In either case, this may be done in several ways, such as by generating a new Kc-128 upon activation of the 128-bit ciphering algorithm (e.g., as shown in FIG. 4) or by verifying that the stored Kc-128 corresponds to the latest successful UMTS AKA procedure (e.g., as shown in FIG. 6).

In the circuit-switched domain, a Single Radio Voice Call Continuity (SR-VCC) handover from lu mode to A/Gb mode must also be considered. Those skilled in the art will recognize that this is something of a special case, since this handover represents a transition from a packet-switched voice call to a circuit-switched voice call. After such a handover, if an A5 algorithm is taken into use that requires a 128-bit ciphering key then the ME shall use the derived UMTS security keys CK′ and IK′ for the circuit-switched domain (derived from the CK and IK in use in the packet-switched domain at the time of the handover) to derive a Kc-128 bit ciphering key for CS domain. The security keys CK′ and IK′ for the circuit-switched domain are derived in the same manner currently specified for generating Kc-64 after a SR-VCC handover; the derived CK′ and IK′ are used to generate the circuit-switched Kc-128 using the key derivation function specified in 3GPP TS 33.102. After that, the ME shall apply the new derived Kc-128 bit ciphering key for CS domain.

In the packet-switched domain, the case of inter-system change from S1 mode to A/Gb mode must also be considered. In this scenario the ME's behavior depends on whether the inter-system change occurs in connected mode or in idle mode, and if in idle mode whether the TlN variable indicates “GUTI” or “RAT-related TMSI.”

In connected mode, or in idle mode when the TlN variable indicates “GUTI,” then if a GEA algorithm is taken into use that requires a 128-bit ciphering key, the ME shall apply the Kc-128 bit ciphering key for GPRS derived by the ME from the new derived UMTS security keys. Note that at inter-system change from S1 to A/Gb mode in connected mode or in idle mode when the TlN variable indicates “GUTI”, the ME always derives new UMTS, security keys for GPRS from the EPS security context. (See 3GPP TS 33.401.)

In idle mode, when the TlN variable indicates “RAT-related TMSI,” then if a GEA algorithm is taken into use that requires a 128-bit ciphering key, the ME shall apply the Kc-128 bit ciphering key for GPRS derived by the ME from the UMTS security keys from the latest successful authentication procedure.

In the packet-switched domain, another consideration stems from the fact that an authentication and ciphering procedure may be used by the network in A/Gb mode to enable encryption (ciphering) without any new authentication and key agreement (AKA). Therefore in the context of the Kc-128 bit ciphering key for GPRS:

-   -   if an 64-bit ciphering algorithm is in use and a switch to a         128-bit algorithm is indicated, this means that the UE is using         the latest UMTS security context for GPRS, and then the Kc-128         bit ciphering key for GPRS to apply is derived from the same         UMTS security context for GPRS currently in use. Thus, the         currently stored Kc-128 may be used, as it is derived from the         same context from which the currently used Kc-64 key for GPRS         was derived;     -   if an authentication (UMTS AKA) has taken place (producing a new         UMTS security context in the USIM) and ciphering is disabled,         and then later ciphering is enabled by means of an         authentication and ciphering procedure without a new         authentication taking place, then the ME has to derive the         Kc-128 bit ciphering key for GPRS from the UMTS security context         for GPRS stored in USIM.

In view of the preceding considerations, then, some MEs are configured to carry out the following procedure for determining which Kc-128 to use in A/Gb mode. In A/Gb mode, when an established UMTS security context for GPRS exists, and if the network indicates in the AUTHENTICATION AND CIPHERING REQUEST message to the ME that a GEA ciphering algorithm that requires a 128-bit ciphering key shall be taken into use, then the ME shall take the following actions:

-   -   if authentication is not requested and a GEA ciphering algorithm         that requires 64-bit ciphering key is in use, the Me shall take         into use the Kc-128 bit ciphering key for GPRS derived by the ME         from the GPRS UMTS ciphering key and GPRS UMTS integrity key of         the established UMTS security context in use before the         AUTHENTICATION AND CIPHERING RESPONSE message is transmitted;     -   if authentication is not requested and a GEA ciphering algorithm         that requires 128-bit ciphering key is in use, the Kc-128 bit         ciphering key for GPRS of the established UMTS security context         in use still applies;     -   otherwise, the ME shall take into use the Kc-128 bit ciphering         key for GPRS derived by the ME from the CK and IK provided by         the USIM during the latest successful authentication procedure         before the AUTHENTICATION AND CIPHERING RESPONSE message is         transmitted.

Finally, the addition of 128-bit ciphering capability to A/Gb mode requires modifications to the Logical Link Control layer in the ME. In particular, at least three modifications are needed. First, the GMM entity in the ME should be modified to either indicate to LLC which ciphering key to use (the Kc-64 ciphering key or the Kc-128 ciphering key), or to provide the appropriate ciphering key directly to LLC. Thus, the primitives LLGMM-ASSIGN and LLGMM-PSHO should be modified so they can indicate a Kc-64 bit or a Kc-128 ciphering key or carry a Kc-64 bit or a Kc-128 ciphering key. At present, only Kc-64 is considered. Second, the Input Offset Value (IOV), which is an LLC layer parameter used for ciphering, shall be modified so the rules applying to default IOV values also consider the case of a Kc-128 ciphering key. Again, at present, only Kc-64 is considered. Finally, the ciphering algorithm must be modified so the input parameter can be not only a Kc-64 ciphering key, but also a Kc-128 ciphering key.

As suggested above, some MEs according to the current invention may be configured to store two Kc-128 for the circuit-switched domain or for the packet-switched domain, or both. For instance, one stored Kc-128 ciphering key for the circuit-switched is for current use in encryption, while the other corresponds to the latest UMTS AKA procedure, but is not activated or in use yet. The same may be true for the GPRS Kc-128. In these embodiments, the ME needs to keep track of which stored Kc-128 is the one derived from the latest successful authentication procedure for proper operation. When a Kc-128 is derived from a new UMTS security context, the old key stored and designated as corresponding to the latest UMTS security context should be overwritten with the newly derived key. Likewise, when a Kc-128 is taken into use for the first time for a 128-bit ciphering algorithm, the stored Kc-128 designated as corresponding to the active Kc-128 should be overwritten with the key just taken into use.

The techniques described herein are generally implemented in one or more processing circuits in an ME, such as the processing circuits 120 pictured in the ME 105 of FIG. 1. In some embodiments, processing circuits 120 comprise one or several microprocessors, digital signal processors, and the like, as well as other digital hardware and digital memory. The memory in turn may comprise one or several types of memory such as read-only memory (ROM), random-access memory, cache memory, flash memory devices, optical storage devices, etc., and is configured to store program code for executing one or more telecommunications and/or data communications protocols and for carrying out one or more of the key handling techniques described herein. The memory further stores program data and user data received from the wireless base station and to be transmitted to the base station, and may further store various parameters, pre-determined threshold values, and/or other program data for controlling the operation of the mobile station. Mobile equipment 105 obviously includes various other features that are not shown, such as user interface circuitry, positioning circuits, and the like. However, these features are well known to those skilled in the art and are therefore not illustrated.

Examples of several embodiments of the present invention have been described in detail above, with reference to the attached illustrations of specific embodiments. Because it is not possible, of course, to describe every conceivable combination of components or techniques, those skilled in the art will appreciate that the present invention may be implemented in other ways than those specifically set forth herein, without departing from essential characteristics of the invention. The present embodiments are thus to be considered in all respects as illustrative and not restrictive, and all modifications and variations that fall within the scope of the appended claims are intended to be embraced therein. 

1.-26. (canceled)
 27. A method for handling ciphering keys in a mobile station comprising a mobile equipment (ME) and a Universal Subscriber Identity Module (USIM), the method comprising: obtaining a UMTS cipher key (CK), integrity key (IK), and ciphering key sequence number (CKSN) from the USIM; deriving a 128-bit ciphering key (Kc-128) from the CK and the IK; storing the Kc-128 and the CKSN on the mobile equipment, separate from the USIM, wherein the stored CKSN is associated with the stored Kc-128.
 28. The method of claim 27 wherein the CK and the IK are for operation in the packet-switched domain.
 29. The method of claim 27 wherein the CK and the IK are for operation in the circuit-switched domain.
 30. The method of claim 29: further comprising determining that a ciphering algorithm requiring a 128-bit ciphering key is to be taken into use; wherein said obtaining, deriving, and storing are performed in response to said determining.
 31. The method of claim 27: further comprising determining that a new UMTS security context has been established; wherein said obtaining, deriving, and storing are performed in response to said determining.
 32. The method of claim 27: further comprising determining that the USIM has generated a 64-bit ciphering key; wherein said obtaining, deriving, and storing are performed in response to said determining.
 33. The method of claim 27 further comprising: determining that a ciphering algorithm requiring a 128-bit ciphering key is to be taken into use; applying the stored Kc-128 to the ciphering algorithm.
 34. The method of claim 33 further comprising, prior to applying the stored Kc-128 to the ciphering algorithm, obtaining a most recent CKSN from the USIM and comparing the most recent CKSN to the stored CKSN to verify a match.
 35. The method of claim 27 further comprising: determining that a ciphering algorithm requiring a 128-bit ciphering key is to be taken into use; obtaining a most recent CKSN from the USIM and comparing the most recent CKSN to the stored CKSN; in response to determining that the most recent CKSN does not match the stored CKSN: obtaining a new CK, new IK, and new CKSN from the USIM; deriving a new Kc-128 from the new CK and the new IK; storing the new Kc-128 and the new CKSN on the mobile equipment.
 36. The method of claim 27 further comprising: obtaining a new CK, new IK, and new CKSN from the USIM; deriving a new Kc-128) from the new CK and the new IK; storing the new Kc-128 and the new CKSN on the mobile equipment, in addition to the previously stored Kc-128 and CKSN.
 37. The method of claim 36 further comprising: determining whether ciphering algorithm requiring a 128-bit ciphering key is to be activated; in response to determining that the ciphering algorithm requiring a 128-bit ciphering key is to be activated, overwriting the previously stored Kc-128 and CKSN with the new Kc-128 and new CKSN.
 38. The method of claim 27 further comprising: determining whether the stored Kc-128 is invalid; in response to determining that the stored Kc-128 is invalid, deleting the stored Kc-128.
 39. The method of claim 38 wherein determining whether the stored Kc-128 is invalid comprises at least one of: detecting that the corresponding CKSN on the USIM has been or is to be deleted; detecting that the update status on USIM for circuit-switched services is changed to “U2 NOT UPDATED,” “U3 ROAMING NOT ALLOWED,” or “U4 UPDATING DISABLED”; detecting that the update status on USIM for packet-switched services is changed to “GU2 NOT UPDATED” or “GU3 ROAMING NOT ALLOWED”; detecting that the USIM has been disabled.
 40. A mobile station, comprising: a Universal Subscriber Identity Module (USIM); and a mobile equipment (ME) coupled to the USIM via a USIM interface: wherein the ME comprises one or more processing circuits configured to: obtain a UMTS cipher key (CK), integrity key (IK), and ciphering key sequence number (CKSN) from the USIM; derive a 128-bit ciphering key (Kc-128) from the CK and the IK; store the Kc-128 and the CKSN on the mobile equipment, separate from the USIM, wherein the stored CKSN is associated with the stored Kc-128.
 41. The mobile station of claim 40 wherein the CK and the IK are for operation in the packet-switched domain.
 42. The mobile station of claim 40 wherein the CK and the IK are for operation in the circuit-switched domain.
 43. The mobile station of claim 42 wherein the one or more processing circuits are further configured to: determine that a ciphering algorithm requiring a 128-bit ciphering key is to be taken into use; perform said obtaining, deriving, and storing in response to said determining.
 44. The mobile station of claim 40 wherein the one or more processing circuits are further configured to: determine that a new UMTS security context has been established; perform said obtaining, deriving, and storing in response to said determining.
 45. The mobile station of claim 40 wherein the one or more processing circuits are further configured to: determine that the USIM has generated a 64-bit ciphering key (Kc-64); perform said obtaining, deriving, and storing in response to said determining.
 46. The mobile station of claim 40 wherein the one or more processing circuits are further configured to: determine that a ciphering algorithm requiring a 128-bit ciphering key is to be taken into use; apply the stored Kc-128 to the ciphering algorithm.
 47. The method of claim 46 wherein the one or more processing circuits are further configured to, prior to applying the stored Kc-128 to the ciphering algorithm, obtain a most recent CKSN from the USIM and compare the most recent CKSN to the stored CKSN to verify a match.
 48. The mobile station of claim 40 wherein the one or more processing circuits are further configured to: determine that a ciphering algorithm requiring a 128-bit ciphering key is to be taken into use; obtain a most recent CKSN from the USIM and compare the most recent CKSN to the stored CKSN; in response to determining that the most recent CKSN does not match the stored CKSN, to: obtain a new CK, new IK, and new CKSN from the USIM; derive a new Kc-128 from the new CK and the new IK; store the new Kc-128 and the new CKSN on the mobile equipment.
 49. The mobile station of claim 40 wherein the one or more processing circuits are further configured to: obtain a new CK, new IK, and new CKSN from the USIM; derive a new Kc-128 from the new CK and the new IK; store the new Kc-128 and the new CKSN on the mobile equipment, in addition to the previously stored Kc-128 and CKSN.
 50. The mobile station of claim 49 wherein the one or more processing circuits are further configured to: determine whether a ciphering algorithm requiring a 128-bit ciphering key is to be activated; in response to determining that the ciphering algorithm requiring a 128-bit ciphering key is to be activated, overwrite the previously stored Kc-128 and CKSN with the new Kc-128 and new CKSN.
 51. The mobile station of claim 40 wherein the one or more processing circuits are further configured to: determine whether the stored Kc-128 is invalid; in response to determining that the stored Kc-128 is invalid, delete the stored Kc-128.
 52. The mobile station of claim 51 wherein the one or more processing circuits are configured to determine whether the stored Kc-128 is invalid by performing at least one of: detecting that the corresponding CKSN on the USIM has been or is to be deleted; detecting that the update status on USIM for circuit-switched services is changed to “U2 NOT UPDATED,” “U3 ROAMING NOT ALLOWED,” or “U4 UPDATING DISABLED”; detecting that the update status on USIM for packet-switched services is changed to “GU2 NOT UPDATED” or “GU3 ROAMING NOT ALLOWED”; detecting that the USIM has been disabled. 